alerts index pattern issue

1,385 views
Skip to first unread message

Olexandr Yermak

unread,
Oct 16, 2024, 5:23:20 AM10/16/24
to Wazuh | Mailing List
Good Morning guys, i'm having some troubles with my fresh wazuh installation, once i installed the wazuh-dashboard as the guide says i need to go on the web interface and login here --> URL: https://<WAZUH_DASHBOARD_IP_ADDRESS> with my credentials.
Once i logged in, I got this warning "Check alerts index pattern"
With this following text

INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Getting list of valid index patterns...
INFO: Valid index patterns found: 1
INFO: Found default index pattern with title [wazuh-alerts-*]: yes
INFO: Checking the app default pattern exists: id [wazuh-alerts-*]...
INFO: Default pattern with id [wazuh-alerts-*] exists: yes
ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern
INFO: Checking the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id exists [wazuh-alerts-*]: yes
INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Checking if the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id [wazuh-alerts-*] found: yes title [wazuh-alerts-*]
INFO: Checking if exists a template compatible with the index pattern title [wazuh-alerts-*]
INFO: Template found for the selected index-pattern title [wazuh-alerts-*]: yes
INFO: Index pattern id in cookie: [wazuh-alerts-*]
INFO: Getting index pattern data [wazuh-alerts-*]...
INFO: Index pattern data found: [yes]
INFO: Refreshing index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]...
WARNING: Index pattern fields for title [wazuh-alerts-*], id [wazuh-alerts-*] could not be refreshed due to: No matching indices found: No indices match pattern "wazuh-alerts-*". This could be an indicator of some problem in the generation, not running server service or configuration to ingest of alerts data.
INFO: Getting settings...
INFO: Check dashboard setting [timeline:max_buckets]: 200000
INFO: App setting [timeline:max_buckets]: 200000
INFO: Settings mismatch [timeline:max_buckets]: no
INFO: Getting settings...
INFO: Check dashboard setting [metaFields]: ["_source","_index"]
INFO: App setting [metaFields]: ["_source","_index"]
INFO: Settings mismatch [metaFields]: no
INFO: Getting settings...
INFO: Check dashboard setting [timepicker:timeDefaults]: {"from":"now-24h","to":"now"}
INFO: App setting [timepicker:timeDefaults]: "{\"from\":\"now-24h\",\"to\":\"now\"}"
INFO: Settings mismatch [timepicker:timeDefaults]: no


How can I remove this warning ?

I attached all the useful screenshots (hopefully!)
4.png
2 (1).png
1.png

Juan Cabrera

unread,
Oct 16, 2024, 5:49:53 AM10/16/24
to Wazuh | Mailing List

Hello Olexandr,

The log indicates that the Wazuh alerts index pattern fields (wazuh-alerts-) could not be refreshed. This usually happens because the corresponding indices might be missing in your environment.

I suggest checking whether the wazuh-alerts- indices exist. If they don’t, as the warning message suggests, there could be an issue with alert generation. This could be due to the Wazuh server not generating alerts, or the Wazuh server service being stopped or down. Additionally, there might be an issue with Filebeat, such as configuration problems, connectivity issues with the Wazuh indexer, or the Filebeat service being stopped.

Check if the wazuh-alerts-* indices are present. In the Wazuh dashboard, go to Index/Indexer Management > Dev Tools and run the following request:

GET /_cat/indices/wazuh-alerts-*

On the other hand, if everything is correct, If you delete the index pattern from the UI (as shown in your last screenshot), the dashboard should automatically regenerate it. This can often resolve issues where the index pattern fields aren’t refreshing properly.

After removing it, try refreshing the page and see if the warning disappears.

Let me know if this helps!

Olexandr Yermak

unread,
Oct 16, 2024, 6:13:02 AM10/16/24
to Juan Cabrera, Wazuh | Mailing List, jalalra...@gmail.com

Hello Juan,

Thank you for the quick reply.

We've tried deleting the patterns and refreshing the page, but the error still persists.

image.png

I've added my colleague in CC, who will continue with the next tests you suggest. Could this issue be related to Filebeat? Perhaps some steps were accidentally skipped during the step-by-step installation?

He has just finished the installation of Wazuh in a clustered environment.

Best regards.


--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/LpSMoas3XP0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b82b41a6-6e88-4cbe-b60a-6d04a5987279n%40googlegroups.com.
Message has been deleted

Juan Cabrera

unread,
Oct 16, 2024, 6:37:22 AM10/16/24
to Wazuh | Mailing List

Hi,

For an easier setup, we recommend using our installation guide with the wizard: Wazuh Installation Assistant. It simplifies the process and helps avoid common issues.

If you encountered difficulties, perhaps you followed the more detailed step-by-step installation guide?

Please paste me the output of the command:

GET /_cat/indices/wazuh-alerts-*

Olexandr Yermak

unread,
Oct 16, 2024, 6:55:21 AM10/16/24
to Juan Cabrera, Wazuh | Mailing List
Sorry Juan, i've replied only to you in my last msg, by accedent. 
Looks like one stap was missed during installation. I've done some checks and repited FIlebeat instalaltion process.

Now i've this result, instead of error:
image.png
Bat, filebeat yet cannot start. The error from journal as as follows: 
image.png

Also tried to remove pattern agai, bat yet cannot be recreated in a right way:
image.png

What is actually "normal" since filebeat, which is in charge of pushing templates, is not starting. 

From here on, Jalal will follow, because he've done installation process.
Lat him know what to to in order to solve filebeat issues because i don't have idea why it cannot start. 
THank you again. 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/LpSMoas3XP0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
Message has been deleted
Message has been deleted

Juan Cabrera

unread,
Oct 16, 2024, 7:59:18 AM10/16/24
to Wazuh | Mailing List
Hi,

Could you let me know how you installed and which version you are using? Sometimes, re-installing can resolve issues like this, especially if there was a problem during the initial setup. It might be worth giving it a try!
Message has been deleted

Olexandr Yermak

unread,
Oct 16, 2024, 10:22:41 AM10/16/24
to Wazuh | Mailing List
Hi Juan, 
We've installed everything by folowing this instructions:

Ofcouse with Indexer first and dashboard after. 
Tried to reinstall Filebeat bat the issue is not changing. meta.json file il missing so filebeat is not starting. 
Any idea?

Thank you 

Juan Cabrera

unread,
Oct 17, 2024, 5:29:29 AM10/17/24
to Wazuh | Mailing List

Hi Olexandr,

Is there a particular reason you aren’t using the assisted installation? You can find more details here: Wazuh Installation Assistant.

Additionally, please check if the following file exists: etc/filebeat/data/registry/filebeat/meta.json. If it does, ensure that the file permissions allow access.

Regards !

Jalal

unread,
Oct 24, 2024, 1:35:38 AM10/24/24
to Wazuh | Mailing List
Hi Juan, if it doesn't exist, what should we do ?

Jalal

unread,
Oct 24, 2024, 1:35:45 AM10/24/24
to Wazuh | Mailing List
Hi Juan, if it doesn't exist, what should we do ?
Best Regards.

Juan Cabrera

unread,
Oct 24, 2024, 7:20:05 AM10/24/24
to Wazuh | Mailing List

Hi Jalal,

The setting for the path is filebeat.registry.path. The registry is a directory. Currently this directory contains meta.json and data.json files. The meta.json file contains a version number, allowing beats to migrate schemas in the future and data.json is the actual data in json format.

Check that the permissions of that directory are correct and that the meta.json file that is not found is inside.

Olexandr Yermak

unread,
Nov 8, 2024, 8:22:26 AM11/8/24
to Wazuh | Mailing List
Hello Team,

I'm back on this issue. 
Removed everything anr run over with assisted installation.
How to bypass this error msg?

ERROR: The IP xxx.xxx.xxx.xxx is public.

Actually it is not public. It it behind a firewall which accepts connection only from one exact IP adress, so we need a solution to skip this error. 

Thank you 

Olexandr Yermak

unread,
Nov 8, 2024, 8:43:54 AM11/8/24
to Wazuh | Mailing List

I've modified the installation script on line 4114:


for ip in "${all_ips[@]}"; do
    isIP=$(echo "${ip}" | grep -P "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$")
    if [[ -n "${isIP}" ]]; then
        # Commenting out the public IP check
        # if ! cert_checkPrivateIp "$ip"; then
        #     common_logger -e "The IP ${ip} is public."
        #     exit 1
        # fi
        common_logger -i "The IP ${ip} is being used."
    fi
done

Now it works like a charm.

Thank you all. 
Reply all
Reply to author
Forward
0 new messages